Authentication based on proximity to mobile device

ABSTRACT

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for performing multi-factor authentication. In one aspect, a method includes determining that a user has successfully completed an authentication factor, determining whether a mobile device associated with the user is proximate to a computer; and authenticating the user based on determining that the user has successfully completed the authentication factor, and that the mobile device is proximate to the computer.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. application Ser. No. 13/487,745, filed on Jun. 4, 2012, which claims the benefit of priority of U.S. Application Ser. No. 61/522,352, filed on Aug. 11, 2011. The contents of each of these applications are incorporated herein by reference.

TECHNICAL FIELD

This specification relates to multi-factor authentication.

BACKGROUND

Multi-factor authentication is a security protocol that requires a user to confirm their identity using more than one authentication technique. Using two-factor authentication, for example, the identity of the user can be authenticated based both on something that the user knows, such as the password to a user account, and something that the user has, such as a security token.

SUMMARY

In general, one innovative aspect of the subject matter described in this specification can be embodied in processes for authenticating the user of a computer systems, using an enhanced multi-factor authentication protocol. Under this enhanced protocol, one of the authentication factors can be satisfied when a mobile device belonging to the user is determined to be physically co-located with, or proximate to, the computer system which the user is attempting access.

Co-location with, or proximity to, the mobile device may be evidenced by geo-location information associated with the mobile device and the computer system, or may be based on the existence of a short-range connection between the mobile device and the computer system. Because the user of a mobile device may carry their mobile devices on their person throughout the course of their day, authentication based on the proximity to the mobile device may enhance the security of the user's authentication, without requiring the user to provide additional information, to carry additional security tokens, or to otherwise interact with the computer system or the mobile device.

In general, another innovative aspect of the subject matter described in this specification can be embodied in processes that include the actions of determining that a user has successfully completed an authentication factor, determining whether a mobile device associated with the user is proximate to a computer; and authenticating the user based on determining that the user has successfully completed the authentication factor, and that the mobile device is proximate to the computer.

Other embodiments of these aspects include corresponding systems, apparatus, and computer programs, configured to perform the actions of the methods, encoded on computer storage devices.

In some embodiments, determining that the mobile device associated with the user is proximate to the computer includes determining a location of the mobile device, determining a location of the computer, and determining that a distance between the location of the mobile device and the location of the computer is within a predetermined threshold; determining that the mobile device associated with the user is proximate to the computer includes determining the existence of a connection between the mobile device and the computer; the actions include determining, in response to determining that the mobile device is not proximate to the computer, that the user has successfully completed an additional authentication factor, and authenticating the user based on determining that the user has successfully completed both the authentication factor and the additional authentication factor; determining that the user has successfully completed the authentication factor includes determining that the user has successfully completed an authentication factor for gaining access to the computer; determining that the user has successfully completed the authentication factor includes determining that the user has successfully completed an authentication factor through interaction with the computer; the actions include associating the mobile device with the user, prior to determining whether the mobile device associated with the user is proximate to the computer, wherein the association is formed through user interaction with the mobile device; the actions include associating the mobile device with the user, prior to determining whether the mobile device associated with the user is proximate to the computer, wherein the association is formed through user interaction with the computer; and/or the actions include determining that the mobile device can no longer be used to authenticate any user prior to determining whether the mobile device associated with the user is proximate to the computer, and eliminating the association between the mobile device and the user.

Particular implementations of the subject matter described in this specification can be implemented so as to realize one or more of the following advantages. A user can be authenticated by merely possessing the mobile device proximate to the computer. In particular, the user need not execute an application on the mobile device or enter an access code either into the mobile device or the computer system. The mobile device and the computer system can exchange information wirelessly, negating any hard-wire connections. The mobile device need not be physically modified to prove the existence of a connection. The mobile device need be configured only once. Subsequently, it can be used as an authentication factor multiple times without requiring any physical connections or data input.

The details of one or more embodiments of the subject matter described in this specification are set forth in the accompanying drawings and the description below. Other features, aspects, and advantages of the subject matter will become apparent from the description, the drawings, and the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A and 1B illustrate systems that implement multi-factor authentication using a device proximity-based authentication factor.

FIG. 2 illustrates a user interface for receiving information to associate a mobile device with a user.

FIG. 3 is a flowchart of an example multi-factor authentication process.

FIG. 4 illustrates operations performed in a multi-factor authentication process.

Like reference numbers and designations in the various drawings indicate like elements.

DETAILED DESCRIPTION

FIGS. 1A and 1B illustrate systems that implement multi-factor authentication using a device proximity-based authentication factor. In FIG. 1A, a computer system 100 a authenticates a user 110 a, who is attempting to access the computer system 100 a. The computer system 100 a authenticates users using multi-factor authentication, at least one factor of which is performed in coordination with a mobile device 120 a.

The computer system 100 a can include one or more processors 102 a and a computer-readable storage medium 104 a storing one or more computer program instructions executable by the one or more processors 102 a. The mobile device 120 a can include, among other components, one or more processors (not shown) that execute computer applications. The mobile device 120 a can be, for example, a personal digital assistant (PDA), a smart phone, a navigation system, a music player, tablet computer, e-book reader, a key fob, or any other type of computing device. Each of the computer system 100 a and the mobile device 120 a can be configured to perform particular operations or actions by virtue of having software, firmware, hardware, or a combination of them installed on each of them, which causes each of them to perform the actions.

The computer-readable storage medium 104 a of the computer system 100 a stores computer software programs executable by the one or more processors 102 a to authenticate the user 110 a. The user 110 a is authenticated based on the user 110 a successfully completing a multiple authentication factors, including an authentication factor that determines whether the mobile device 120 is proximate to the computer system 100 a. Once the user is authenticated, the computer system 100 a grants the user access to information, stored on the computer system 100 a or accessible through the computer system 100 a or both.

To determine that the user 110 a has successfully completed the first authentication factor, the computer system 100 a can implement a computer software application in which the computer system 100 a that requests the user 110 a to perform an action to gain access to the computer system 100 a. If the computer system 100 a determines that the user 110 a has failed to successfully perform the requested action, then the computer system 100 a determines that the user 110 a has failed to successfully complete the first authentication factor, and denies the user 110 a access to the computer system 100 a.

In some implementations, to request the user 110 a to perform the action, the computer system 110 a can display a user interface 108 in a display device 106 a coupled to the computer system 100 a, and can request that the user 110 a provide a user identifier (ID) and a password (PWD) in the user interface 108 a. The user 110 a may have previously created and stored a user account on the computer system 100 a. When the computer system 100 a determines that the password received in the user interface 108 a is correct (for example, matches the stored password associated with the user account of the user 110 a), the computer system 100 a determines that the first authentication factor has been successfully completed. Thus, the first authentication factor may be based on something that the user has knowledge of, namely, the password.

After the user 110 a has successfully completed the first authentication factor by interacting with the computer system 100 a, the system 100 a can implement a second authentication factor that may be satisfied through the user's possession of the mobile device 120 a. For example, the computer system 100 a can determine whether the mobile device 120 a associated with the user 110 a is proximate to the computer system 100 a.

Once the computer 100 a has determined (i) that the user 110 a has successfully completed the authentication factor, and (ii) that the mobile device 120 a is proximate to the computer, the user 110 a may be considered to be successfully authenticated. In such a situation, the computer system 100 a can grant the user 110 a access to the computer system 100 a.

The mobile device 120 a and the computer system 100 a can be configured to exchange information, for example, wirelessly, when in physical proximity to each other. As described below with reference to FIG. 2, the user 110 a can pair the mobile device 120 a and the computer system 100 a in a one-time operation, following which the computer system 100 can automatically recognize the mobile device 120 a.

Once the mobile device 120 a and the computer system 100 a are paired, the user 110 a can successfully complete the second authentication factor by merely possessing the mobile device 120 a when in physical proximity to the computer system 100. In particular, the user 110 a need not modify the mobile device 120 a, or manually invoke an application using the mobile device 120 a, or receive a code on the mobile device 120 a and provide the code to the computer system 100 a, or provide any type of input to or using the mobile device 120 a, or even touch the mobile device 120 a during the authentication process, to successfully complete the corresponding authentication factor.

In some implementations, to determine physical proximity, the computer system 100 can determine whether a distance between the mobile device 120 a and a reference location satisfies a threshold. The reference location can be the location of the computer system 100 a or can alternatively be the location of a transceiver 130 a that is coupled to the computer system 100 a through a wireless or wireline connection. In some implementations, the transceiver 130 a can be integrated into the computer system 100 a, and, in others, can be separate from the system 100 a.

The computer system 100 a can determine whether the mobile device 120 a is within a threshold distance from the reference location based on the existence of a connection between the mobile device 120 a. For example, the mobile device 120 a and the computer system 100 a can be paired by a Bluetooth connection. Such pairing may be possible only when the mobile device 120 a is within the threshold distance from the computer system 100 a. When the mobile device 120 a is positioned outside the pre-defined distance location, then the Bluetooth connection cannot be established and consequently the threshold cannot be satisfied.

Upon determining that the password received through the user interface 108 a is correct, the computer system 100 a (or the transceiver 130 a) can scan for Bluetooth compatible devices within a distance from the computer system 100 a. The distance can be the range of the Bluetooth signal that the computer system 100 a transmits. Beyond the range, the Bluetooth signal may be too weak to establish a connection.

When the mobile device 120 a, which is Bluetooth compatible and was previously paired with the computer system 100 a, is within this distance, the mobile device 120 a can receive the signal and, in turn, can transmit signals to identify itself to the computer system 100 a. Upon receiving the signals that the mobile device 120 a transmits, the computer system 100 a can determine that the mobile device 120 a is proximate to the computer, and consequently that the second authentication factor has been successfully completed.

In another example, the computer system 100 a can additionally determine whether the distance between the mobile device 120 a and the reference location satisfies the threshold based on strength of the connection. For example, the computer system 100 a can transmit a signal and a request that the mobile device 120 a acknowledge receipt of the transmitted signal. The computer system 100 a can be configured to determine a time taken for an acknowledgement signal to be received.

The mobile device 120 a can include a transceiver configured to receive the signal that the computer system 100 a transmits and to transmit an acknowledgement signal in return. When a time in which the computer system 100 a receives the acknowledgement signal from the mobile device 120 a satisfies a reference time threshold, the computer system 100 a determines that the mobile device 120 a is within a threshold distance from the computer system 100 a, and that the second authentication factor has been successfully completed.

In some implementations, the computer system 100 a can determine that the mobile device 120 a associated with the user 110 a is proximate to the computer system 100 a by determining a location of the mobile device 120 a, determining a location of the computer system 100 a (or the reference location), and determining that a distance between the location of the mobile device and the location of the computer system 100 a is within a predetermined threshold distance.

For example, the computer system 100 a can receive its location and the location of the mobile device 120 a from a position tracking system (such as, a Global Positioning System, or through WiFi triangulation). In general, the position tracking system can be any system that can determine locations with fine granularity, such that a difference between an actual location of an object and a determined location of the object is negligible (for example, of the order of one meter or a foot or less). In some implementations, the position tracking system can provide the location of the mobile device 120 a and that of the computer system 100 a to a different system (for example, a centralized server). The computer system 100 a (or the centralized server) can determine that the distance between the two locations is within the predetermined threshold.

The computer system 100 can alternatively determine whether the mobile device 120 a is within a threshold distance from the computer system 100 a based on a difference between times registered by respective atomic clocks connected to each of the mobile device 120 a and the computer system 100 a. In metrology, one meter is defined as the length of the path traveled by light in vacuum in a pre-defined fraction of a second. The pre-defined fraction can be determined using an atomic clock. The computer system 100 a can determine a distance between the mobile device 120 a and the computer system 100 a based on a time difference registered by the respective atomic clocks.

By implementing the techniques described above with reference to FIG. 1A, the computer system 100 a determines that the mobile device 120 a is proximate to the system 100 a. Thus, the computer system 100 a determines that the user 110 a has successfully completed the second authentication factor based on something that the user 110 a has, i.e., the mobile device 120 a. Therefore, the computer system 100 successfully authenticates and grants the user 110 a access, for example, to a computer software application 145 a executing on the computer system 100 a.

In FIG. 1B a computer system 100 b authenticates a user 110 b, who is attempting to access the computer system 100 b. The computer system 100 b authenticates users using multi-factor authentication, during which an attempt is made to perform at least one authentication factor in coordination with a mobile device 120 b. Specifically, the computer system 100 b requires a successful completion of a third authentication factor because the authentication factor implemented in the mobile device 120 b was not successfully completed.

In FIG. 1B, the computer system 100 b does not detect the presence of the mobile device 12 ba within the threshold distance from the reference location (i.e., the computer system 100 b or the transceiver 130 b). More particularly, the computer system 100 b implements a computer software application in which the computer system 100 b requests the user 110 b to perform an action to gain access to the computer system 100 b.

For example, the computer system 100 b requests that the user 110 b provide a correct password through the user interface 108 b. The computer system 100 b determines that the requested action was successfully performed, for example, because the computer system 100 b determines that the password received through the user interface 108 b matches a previously created password associated with a user account of user 110 b. Therefore, the computer system 100 b determines that the user 110 b successfully completed the first authentication factor.

However, the computer system 100 b determines that a mobile device 120 b, which is required for authenticating the user, is not proximate to the computer system 100 b. For example, the computer system 100 b scans for Bluetooth compatible devices, particularly, for the mobile device 120 b with which the computer system 100 b was previously paired. Because the mobile device 120 b is outside the range of the Bluetooth signal, the computer system 100 b cannot transmit signals to identify itself to the computer system 100 b.

In another example, the computer system 100 b transmits a signal and a request to acknowledge the signal. In one scenario, the mobile device 120 b does not receive the request to acknowledge the signal and does not transmit an acknowledgement signal. In another scenario, the mobile device 100 b is beyond proximity of the computer system 100 b such that a time taken for the computer system 100 b to receive the acknowledgement signal that the mobile device 120 b transmits does not satisfy the reference time threshold.

Alternatively, or in addition, the computer system 100 b can determine that the distance between the mobile device 120 b and the computer system 100 b is greater than the distance threshold by comparing the position information (for example, GPS information) describing its own position and the position of the mobile device 120 b. Because the mobile device 120 b is not proximate to the computer system 100 b, the system 100 b determines that a second authentication factor was not successfully completed. This can lead to two implications—the user 110 b is an unauthorized user who does not have access to the computer system 100 b, or the user is an otherwise authorized user who happens not to possess the mobile device 120 b at that time.

In some implementations, the computer system 100 b can deny the user 110 b access to the computer software application 145 b. In other words, the computer system 100 b determines that the absence of the mobile device 120 b is a strong implication that an unauthorized user is attempting to access the computer system 100 b.

In other implementations, the user 110 b may have forgotten the mobile device 120 b at a different location, such as the user's home. In such situations, rather than denying the user 110 access to the computer system 100 b, the system 100 b can present the user 110 b with an additional authentication factor and allow the user 110 b to establish authenticity.

At least a portion of the additional authentication factor can be implemented in the mobile device 120 b. In some implementations, the computer system 100 can determine if the mobile device 120 is within a pre-defined geographic area. When pairing the mobile device 120 b and the computer system 100 b, the user 110 b may have specified the geographic area, for example, the city, state, or country in which the user 110 b resides. The computer system 100 can receive location formation, for example, Global Positioning System (GPS) information from the mobile device 120 b (such as a latitude/longitude pair) and determine whether the mobile device 120 b is within the pre-defined geographic area.

If the computer system 100 b determines that the mobile device 120 b is within the pre-defined geographic area, then the computer system 100 b can display a user interface 140 b to the user 110 b, and request the user to provide additional information to confirm the user's identity, such as through the use of a one-time password (OTP). Thus, if the computer system 100 b determines that the mobile device 120 b is within the pre-defined geographic area and the user provides correct identifying information in the user interface 140 b, then the computer system 100 b can determine that the user 110 b is authorized and can grant access to the computer software application 145 b. Unless both conditions are satisfied, the computer system 100 b may not grant the user 110 b access.

In this manner, in response to determining that the user 110 b has successfully completed the first authentication factor and that the user 110 b has not successfully completed the second authentication factor because the mobile device 120 b is not proximate to the computer, the computer system 100 b can require that the user 110 b successfully complete an additional authentication factor. To do so, the one or more processors 102 b can execute computer software instructions stored on the computer-readable storage medium 104 b to implement a computer software application which requests additional information from the user 110 b (for example, an additional password that the user 110 b previously stored on the computer-readable storage medium 104 b).

When the computer system 100 b determines that the additional information received, for example, through the user interface 140 b, is correct, the computer system 100 b determines that the user has successfully completed the additional authentication factor. Because the computer system 100 b determines that the user has successfully completed both the first authentication factor and the additional authentication factor, the computer system 100 b can authenticate the user 110 b even though the mobile device 120 b is not proximate to the computer.

FIG. 2 illustrates a user interface 200 for receiving information to associate a mobile device with a user. In some implementations, prior to determining whether the mobile device associated with the user is proximate to the computer system, the system can associate the mobile device with the user. The user can associate the mobile device and the computer system by providing information describing the mobile device in the user interface 200. The information can include, for example, a device identifier and a make/model of the device. In addition, the information can include time frames, for example, days of the week or times of the day (or combinations of them), within which the mobile device can be used as an authentication factor.

In some implementations, the association can be formed through user interaction with the computer system. For example, the computer system can display the user interface 200 in a display device coupled to the computer system through which the user can provide the association information. In some implementations, the computer system 200 can implement a Bluetooth pairing application to identify all Bluetooth-compatible devices, including the mobile device, which are within a range of the Bluetooth signal, and display the identified devices in the user interface 200. The user can select the mobile device from among the identified devices.

In some implementations, the association can be formed through user interaction with the mobile device. For example, the mobile device can display the user interface 200 in a display section of the mobile device. The user can interact with the user interface 200 to provide the association information. In alternative implementations, the association can be formed through user interactions with both the mobile device and the computer system.

In some implementations, the computer system can determine that the mobile device can no longer be used to authenticate any user prior to determining whether the mobile device associated with the user is proximate to the computer. For example, an authorized user may have reported that a mobile device, previously associated with the computer system as described above, has been lost. Subsequently, when the computer system detects an authentication attempt using the lost mobile device, then the computer system can deny access. Further, the computer system can eliminate the association between the mobile device and the user.

FIG. 3 is a flowchart of an example multi-factor authentication process 300. Briefly, the process 300, which be implemented as one or more computer programs that can be configured to perform particular operations or actions by virtue of including instructions that, when executed by data processing apparatus, cause the apparatus to perform the actions of determining that a user has successfully completed an authentication factor (AF1) at 305. The process 300 can check if a mobile device is proximate to a computer (AF2) at 310. If the mobile device is proximate to the computer (decision branch “YES”), then the process 300 can authenticate the user based on successful completion of the authentication factor and based on determining that the mobile device is proximate to the computer at 315.

If, on the other hand, the mobile device is not proximate to the computer (decision branch “NO”), then the process 300 can present an additional authentication factor at 320. As described above, the additional authentication factor can include determining whether the mobile device is within a pre-defined geographic area and receiving additional authentication information from the user. The process 300 can check for successful completion of the additional authentication factor (AF3) at 325. If the additional authentication factor has been successfully completed (decision branch “YES”), then the process 300 can authenticate the user based on successful completion of AF1 and AF3 at 330. If not (decision branch “NO”), then the process 300 can determine authentication failure at 335.

FIG. 4 illustrates operations performed in a multi-factor authentication process. A user 402 requests access to a computer system 400. In response, the computer system 400 initiates a multi-factor authentication process. Initially, the computer system 400 requests information that only an authenticated user will know. The user 402 provides information in response to the request. When the computer system 400 verifies that the received information is accurate, the computer system 400 determines that a first authentication factor was successfully completed.

The computer system 400 searches for a device (mobile device 404, in this example) that only an authenticated user will possess. When the mobile device 404 is proximate to the computer system 400, the device 404 receives the request for identification signals from the computer system 400. In some implementations, upon receiving the request, one or more processors included in the mobile device 404 can execute computer software applications stored on a computer-readable storage medium included in the device 404 to execute a computer software application.

In response to receiving the request, the application can present a notification indicating receipt of the request. For example, the application can display a message on a display screen of the mobile device 404, execute an instruction to emit a sound or to vibrate or combinations of them. Such a notification may alert the user 402 that the mobile device 404 has received a request from the computer system 400. Alternatively, such notification may not be necessary. Instead, the application may cause the mobile device 404 to transmit signals to the computer system 400 in response to receiving the request.

The computer system 400 receives the signals that the mobile device 404 transmits, and verifies that the received signals establish that the mobile device 404 is in physical proximity to the computer system 400. In this manner, when the computer system 400 verifies that the mobile device 404 is proximate to the computer system, the system 400 authenticates the user 402 and grants access. The authenticated user 402 can then access one or more applications executed by the computer system 400.

In some implementations, the computer system can first implement the authentication factor that is based on possession of the mobile device, and then implement the authentication factor based on knowledge of the password. In such implementations, the computer system can first determine that the mobile device is proximate to the computer system. Then, the computer system can display the user interface in the display device of the computer system, and request that the user provide the user identifier and password. If the computer system determines that the mobile device is not proximate to the computer system by implementing the techniques described above, the computer system can deny the user access to the computer system and not display the user interface. Alternatively, the computer system can implement an additional authentication factor as described above, and display the user interface if the user successfully completes the additional authentication factor.

In some implementations, the computer system can be a node of a centralized network and can be coupled to a centralized server. The user may be authorized to access the centralized server only through the computer system. In such implementations, the server can store an association between the computer system and the mobile device. When the user attempts to access the network, the server can implement the authentication factors described above to determine that the user is attempting to do so through the computer system.

In some situations, the mobile device can be associated with more than one computer system to access the centralized server. Conversely, more than one mobile device can be associated with the computer system to access the computer system or the server or both.

Implementations of the subject matter and the operations described in this specification can be implemented in digital electronic circuitry, or in computer software, firmware, or hardware, including the structures disclosed in this specification and their structural equivalents, or in combinations of one or more of them. Implementations of the subject matter described in this specification can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions, encoded on computer storage medium for execution by, or to control the operation of, data processing apparatus. Alternatively or in addition, the program instructions can be encoded on an artificially-generated propagated signal, for example, a machine-generated electrical, optical, or electromagnetic signal, which is generated to encode information for transmission to suitable receiver apparatus for execution by a data processing apparatus.

A computer storage medium be, or be included in, a computer-readable storage device, a computer-readable storage substrate, a random or serial access memory array or device, or a combination of one or more of them. Moreover, while a computer storage medium is not a propagated signal, a computer storage medium can be a source or destination of computer program instructions encoded in an artificially-generated propagated signal. The computer storage medium can also be, or be included in, one or more separate physical components or media (for example, multiple CDs, disks, or other storage devices).

The operations described in this specification can be implemented as operations performed by a data processing apparatus on data stored on one or more computer-readable storage devices or received from other sources. For example, the mobile device can include one or more computer-readable storage devices that store the computer software instructions. The mobile device can further include one or more data processing apparatuses that can read the computer software instructions from the computer-readable storage devices and execute them.

The term “data processing apparatus” encompasses all kinds of apparatus, devices, and machines for processing data, including by way of example a programmable processor, a computer, a system on a chip, or multiple ones, or combinations, of the them. The apparatus can include special purpose logic circuitry, for example, an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit). The apparatus can also include, in addition to hardware, code that creates an execution environment for the computer program in question, for example, code that constitutes processor firmware, a protocol stack, a database management system, an operating system, a cross-platform runtime environment, a virtual machine, or a combination of one or more of them.

A computer program (also known as a program, software, software application, script, or code) can be written in any form of programming language, including compiled or interpreted languages, declarative or procedural languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, object, or other unit suitable for use in a computing environment. A computer program can, but need not, correspond to a file in a file system. A program can be stored in a portion of a file, in a single file dedicated to the program in question, or in multiple coordinated files (for example, files that store one or more modules, sub-programs, or portions of code). A computer program can be deployed to be executed on one computer or on multiple computers that are located at one site or distributed across multiple sites and interconnected by a communication network.

The processes and logic flows described in this specification can be performed by one or more programmable processors executing one or more computer programs to perform actions by operating on input data and generating output. The processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, for example, an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).

Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for performing actions in accordance with instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, for example, magnetic, magneto-optical disks, or optical disks.

However, a computer need not have such devices. Moreover, a computer can be embedded in another device, for example, a mobile telephone, a personal digital assistant (PDA), a mobile audio or video player, a game console, a Global Positioning System (GPS) receiver, or a portable storage device (for example, a universal serial bus (USB) flash drive), to name just a few.

Devices suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices, for example, EPROM, EEPROM, and flash memory devices; magnetic disks, for example, internal hard disks or removable disks; magneto-optical disks; and SD cards, CD-ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.

While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any disclosures or of what can be claimed, but rather as descriptions of features specific to particular implementations of particular disclosures. Certain features that are described in this specification in the context of separate implementations can also be implemented in combination in a single implementation. Conversely, various features that are described in the context of a single implementation can also be implemented in multiple implementations separately or in any suitable subcombination. Moreover, although features can be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination can be directed to a subcombination or variation of a subcombination.

Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing can be advantageous. Moreover, the separation of various system components in the implementations described above should not be understood as requiring such separation in all implementations, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.

Thus, particular implementations of the subject matter have been described. Other implementations are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In certain implementations, multitasking and parallel processing can be advantageous. 

What is claimed is:
 1. A method performed by one or more computing devices, the method comprising: receiving data indicating input entered by a particular user through an interface of a first device; determining, based on the received data, that a first authentication factor for gaining access to the first device has been successfully provided; accessing association data indicating an association between a particular mobile device and the particular user, wherein the association data designated the particular mobile device as an authentication factor for the particular user before the data indicating the input was received; determining that a connection over a short-range wireless interface exists between the first device and the particular mobile device that was designated as an authentication factor for the particular user; authenticating the particular user for the access to the first device based at least on determining that (i) the user has successfully completed the first authentication factor, and (ii) that the connection over the short-range wireless interface exists between the first device and the particular mobile device that was designated as an authentication factor for the particular user; determining that the particular mobile device is no longer to be used to authenticate the particular user for access to the first device; and in response to determining that the particular mobile device is no longer to be used to authenticate the particular user for access to the first device, eliminating the association such that a connection between the particular mobile device and the first device over the short-range wireless interface no longer serves as an authentication factor for the particular user to obtain access to the first device.
 2. The method of claim 1, further comprising: before the input is entered by the particular user, forming the association between the particular mobile device and the particular user that designates the particular mobile device as an authentication factor for the particular user.
 3. The method of claim 2, wherein the association is formed through user interaction with the first device.
 4. The method of claim 2, wherein the association indicates that the particular mobile device belongs to the particular user.
 5. The method of claim 1, wherein determining that the particular mobile device is no longer to be used to authenticate the particular user for access to the first device comprises determining that the particular mobile device has been reported lost.
 6. The method of claim 1, further comprising determining that the particular mobile device is located within a predetermined threshold distance of the first device; wherein authenticating the particular user is further based on determining that the particular mobile device is within the predetermined threshold distance of the first device.
 7. The method of claim 6, wherein determining that the particular mobile device is within the predetermined threshold distance of the first device comprises: receiving data indicating a location of the first device; receiving data indicating a location of the particular mobile device; and determining the distance between the first device and the particular mobile device based on the location of the first device and the location of the particular mobile device.
 8. The method of claim 1, comprising: establishing a connection between a mobile device and the first device over the short-range wireless interface; and communicating with the mobile device over the connection to determine an identity of the mobile device; wherein determining that the connection over the short-range wireless interface exists between the first device and the particular mobile device comprises: determining that the identity of the mobile device matches the identity of the particular mobile device that was designated as an authentication factor for the particular user.
 9. The method of claim 1, wherein the input entered by the particular user is a username and password associated with a user account belonging to the user.
 10. The method of claim 1, wherein determining that the connection over the short-range wireless interface exists is performed in response to receiving the data indicating the input.
 11. One or more non-transitory computer-readable data storage devices storing instructions that, when executed by one or more computing devices, cause the one or more computing devices to perform operations comprising: receiving data indicating input entered by a particular user through an interface of a first device; determining, based on the received data, that a first authentication factor for gaining access to the first device has been successfully provided; accessing association data indicating an association between a particular mobile device and the particular user, wherein the association data designated the particular mobile device as an authentication factor for the particular user before the data indicating the input was received; determining that a connection over a short-range wireless interface exists between the first device and the particular mobile device that was designated as an authentication factor for the particular user; authenticating the particular user for the access to the first device based at least on determining that (i) the user has successfully completed the first authentication factor, and (ii) that the connection over the short-range wireless interface exists between the first device and the particular mobile device that was designated as an authentication factor for the particular user; determining that the particular mobile device is no longer to be used to authenticate the particular user for access to the first device; and in response to determining that the particular mobile device is no longer to be used to authenticate the particular user for access to the first device, eliminating the association such that a connection between the particular mobile device and the first device over the short-range wireless interface no longer serves as an authentication factor for the particular user to obtain access to the first device.
 12. The device of claim 11, wherein the operations further comprise: before the input is entered by the particular user, forming the association between the particular mobile device and the particular user that designates the particular mobile device as an authentication factor for the particular user.
 13. The device of claim 12, wherein the association is formed through user interaction with the first device.
 14. The device of claim 12, wherein the association indicates that the particular mobile device belongs to the particular user.
 15. A system comprising one or more processors and one or more machine-readable media storing instructions that, when executed by the one or more processors, cause one or more computing devices to perform operations comprising: receiving data indicating input entered by a particular user through an interface of a first device; determining, based on the received data, that a first authentication factor for gaining access to the first device has been successfully provided; accessing association data indicating an association between a particular mobile device and the particular user, wherein the association data designated the particular mobile device as an authentication factor for the particular user before the data indicating the input was received; determining that a connection over a short-range wireless interface exists between the first device and the particular mobile device that was designated as an authentication factor for the particular user; authenticating the particular user for the access to the first device based at least on determining that (i) the user has successfully completed the first authentication factor, and (ii) that the connection over the short-range wireless interface exists between the first device and the particular mobile device that was designated as an authentication factor for the particular user; determining that the particular mobile device is no longer to be used to authenticate the particular user for access to the first device; and in response to determining that the particular mobile device is no longer to be used to authenticate the particular user for access to the first device, eliminating the association such that a connection between the particular mobile device and the first device over the short-range wireless interface no longer serves as an authentication factor for the particular user to obtain access to the first device.
 16. The system of claim 15, wherein the operations further comprise: before the input is entered by the particular user, forming the association between the particular mobile device and the particular user that designates the particular mobile device as an authentication factor for the particular user.
 17. The system of claim 16, wherein the association is formed through user interaction with the first device.
 18. The system of claim 16, wherein the association indicates that the particular mobile device belongs to the particular user. 